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METHOD AND SYSTEM FOR UNIFIED SESSION CONTROL OF MULTIPLE 
MANAGEMENT SERVERS ON NETWORK APPLIANCES 

Field of the Invention 

The present invention relates to software integration, and in particular, to 
a method and system for managing multiple management servers by a single unified 
session manager to provide a unified session control. 

Background 

In today's network environment a variety of applications may be 
combined in a network device, such as a network appliance, and the like. Types, tasks 
and origins of the applications vary, as well as the types and numbers of management 
servers controlling them. For example, a network appliance may include virus scanning 
software, content filtering software, system management software, and the like. Each of 
the applications may come from a different manufacturer and each may have its own 
management server. Such a diverse array of applications may result in numerous 
problems, including the overall management of them remotely. Available integration 
solutions address some of the problems created by this variety, but fail to solve others. 

One possible solution to the difficulty of managing multiple servers is to 
allow some management servers to work independently. This may require a user to 
access each management server separately for tasks related to an application associated 
with the management server. Further implications of this method involve the user 
having to deal with separate login procedures for each management server, 
encountering potentially, very different graphic user interfaces (GUIs), having to open 
multiple ports through a main firewall system, and the like. 

Another commonly used method is to modify management servers in the 
network appliance to share login procedures, simplify access protocols, unify GUI's, 
and the like. This often may mean rewriting code for some of the management servers, 
requiring not only authorization and support from the manufacturers of individual 
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applications, but also having to acquire the necessary knowledge and skill to rewrite the 
application. 

A further method is to create a common interface and require all 
application manufacturers to be compatible with the common interface. This method 
5 may not be feasible in an open infrastructure system. Even in a closed system, it is 
likely to lead to increased cost and delay in a product introduction, as a complicated 
cooperation between multiple manufacturers may be needed. 

Thus, it is with respect to these considerations and others that the present 
invention has been made. 

10 Summary of the Invention 

According to one aspect of the present invention, a method is directed to 
managing a network device. The method comprises receiving a request for access over 
a network to an application, establishing a session with a management server associated 
with the application, modifying and forwarding the request to the management server, 
1 5 receiving a response from the management server associated with the application, and 
modifying and forwarding the response from the management server. 

According to another aspect of the present invention, a unified session 
manager is directed to managing a network device. The unified session manager 
comprises a first component configured to receive a request for access to an application 
20 on the network device and forward a response in return, and a second component, 
coupled to the first component, configured to establish a session with a management 
server associated with the application, to modify and forward the request to the 
management server, to receive the response from the management server associated 
with the application, and to modify and forward the response from the management 
. 25 server to the first component to be forwarded. 

According to a further aspect of the present invention, a method is 
directed to managing a plurality of management servers. The method comprises 
establishing a session between a unified session manager and at least one of the 
plurality of the management servers, wherein the unified session manager is enabled to 
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operate on behalf of a client requesting access to an application associated with the 
management server, and modifying a message between the client and at least one of the 
plurality of the management servers, wherein the modification is transparent to the 
client and the management server. 
5 According to yet another aspect of the present invention, in a computer 

system having a graphical user interface including a display and a user interface 
selection device, a method is directed to providing a selecting menu on the display to 
access an application over a network. The method comprises retrieving a set of menu 
entries for the menu including at least access to an application access, and the like, 
10 displaying the menu on the display comprising the set of menu entries, retrieving a 

menu entry selection signal indicative of the user interface selection, wherein the menu 
entry selection signal is modified and forwarded to a management server associated 
with the application, and receiving another signal indicative of a response by the 
management server, wherein the signal is modified and forwarded to the user. 

15 Brief Description of the Drawings 

Non-limiting and non-exhaustive embodiments of the present invention 
are described with reference to the following drawings. In the drawings, like reference 
numerals refer to like parts throughout the various figures unless otherwise specified. 

For a better understanding of the present invention, reference will be 
20 made to the following Detailed Description of the Invention, which is to be read in 
association with the accompanying drawings, wherein: 

FIGURE 1 illustrates one embodiment of an environment in which the 
invention may operate; 

FIGURE 2 illustrates a functional block diagram of a system in 
. 25 accordance with one embodiment of the present invention; 

FIGURE 3 illustrates a functional block diagram of a system in 
accordance with another embodiment of the present invention; and 

FIGURE 4 illustrates a flow diagram generally showing one embodiment 
of a process for using a unified session manager of multiple management servers. 
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Detailed Description of the Preferred Embodiment 

The present invention now will be described more fully hereinafter with 
reference to the accompanying drawings, which form a part hereof, and which show, by 
way of illustration, specific exemplary embodiments by which the invention may be 
5 practiced. This invention may, however, be embodied in many different forms and 
should not be construed as limited to the embodiments set forth herein; rather, these 
embodiments are provided so that this disclosure will be thorough and complete, and 
will fully convey the scope of the invention to those skilled in the art. Among other 
things, the present invention may be embodied as methods or devices. Accordingly, the 

10 present invention may take the form of an entirely hardware embodiment, an entirely 
software embodiment or an embodiment combining software and hardware aspects. 
The following detailed description is, therefore, not to be taken in a limiting sense. 

The terms "comprising," "including," "containing," "having," and 
"characterized by," refers to an open-ended or inclusive transitional construct and does 

1 5 not exclude additional, unrecited elements, or method steps. For example, a 

combination that comprises A and B elements, also reads on a combination of A, B, and 
C elements. 

The meaning of "a," "an," and "the" include plural references. The 
meaning of "in" includes "in" and "on." Additionally, a reference to the singular 
20 includes a reference to the plural unless otherwise stated or is inconsistent with the 
disclosure herein. 

The term "or" is an inclusive "or" operator, and includes the term 
"and/or," unless the context clearly dictates otherwise. 

The phrase "in one embodiment," as used herein does not necessarily 
25 refer to the same embodiment, although it may. 

The term "based on" is not exclusive and provides for being based on 
additional factors not described, unless the context clearly dictates otherwise. 

The term "flow" includes a flow of packets through a network. The term 
"connection" refers to a flow or flows of messages that typically share a common 
30 source and destination. 
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Briefly stated, the present invention is directed to a method and system 
for managing multiple management servers by a unified session manager. The unified 
session manager may authenticate a user requesting access to a network appliance. The 
unified session manager then establishes a session with a management server associated 
5 with a component application, based, in part, on the request for access. The unified 
session manager translates graphical user interface (GUI) messages, network addresses, 
and the like, between the user and the management server, while the user is in the 
session with the network appliance. This provides the user with a uniform interface for 
the plurality of management servers associated with the network appliance. 

10 Illustrative Operating Environment 

FIGURE 1 illustrates one embodiment of an environment in which the 
invention may operate. Not all the components may be required to practice the 
invention, and variations in the arrangement and type of the components may be made 
without departing from the spirit or scope of the invention. 

1 5 As shown in the figure, system 100 includes Local Area Network / Wide 

Area Network (LAN/WAN) 104, client 102, and a network device 106. Client 102 and 
network device 106 are in communication over LAN/WAN 104. 

LAN/WAN 104 is enabled to employ any form of computer readable 
media for communicating information from one electronic device to another. In 

20 addition, LAN/WAN 104 may include the Internet in addition to local area networks, 
wide area networks, direct channels, such as through a universal serial bus (USB) port, 
other forms of computer-readable media, and any combination thereof. On an 
interconnected set of LANs, including those based on differing architectures and 
protocols, a router acts as a link between LAN's, enabling messages to be sent from one 

25 to another. Also, communication links within LANs typically include twisted pair or 
coaxial cable, while communication links between networks may utilize analog 
telephone lines, full or fractional dedicated digital lines including Tl, T2, T3 5 and T4, 
Integrated Services Digital Networks (ISDNs), Digital Subscriber Lines (DSLs), 
wireless links including satellite links, or other communications links known to those 

30 skilled in the art. Furthermore, remote computers and other related electronic devices 
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may be remotely connected to either LANs or WANs via a modem and temporary 
telephone link. In essence LAN/WAN 104 may include any communication 
mechanism by which information may travel between network devices, such as client 
102 and network device 106. 
5 Client 102 may be any network device capable of communicating over a 

network, such as LAN/WAN 104, to network device 106, and the like. Client 102 may 
allow one or more users, such as an administrator to access resources over LAN/WAN 
104 such as network device 106. The set of such devices may include devices that 
typically connect using a wired communications medium such as personal computers, 

1 0 multiprocessor systems, microprocessor-based or programmable consumer electronics, 
network PCs, and the like, that are configured to operate as a client. The set of such 
devices may also include devices that typically connect using a wireless 
communications medium such as cell phones, smart phones, pagers, radio frequency 
(RF) devices, infrared (IR) devices, CBs, integrated devices combining one or more of 

1 5 the preceding devices, and the like, that are configured as a client. Alternatively, client 
102 may be any device that is capable of connecting using a wired or wireless 
communication medium such as a PDA, POCKET PC, wearable computer, and any 
other device that is equipped to communicate over a wired and/or wireless 
communication medium, operating as a client. 

20 Network device 106 may include any computing device or devices 

capable of providing a user access to a resource, such as an application on network 
device 106, and the like. Devices that may operate as network device 106 include, but 
are not limited to, personal computers, desktop computers, multiprocessor systems, 
microprocessor-based or programmable consumer electronics, network PCs, web 

25 servers, cache servers, file servers, routers, gateways, switches, bridges, firewalls, 

proxies, and the like. In one embodiment network device 106 may operate as a network 
appliance comprising a plurality of applications and their associated management 
servers. 
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Although not shown, a plurality of applications and their associated 
management servers may reside in network device 106 or reside in another network 
device and be managed by network device 106. 
General and Illustrative Operations 
5 FIGURE 2 illustrates a functional block diagram of one embodiment of 

a network appliance 214 within system 200 in which the present invention may be 
practiced. Network appliance 214 provides one embodiment for network device 106 of 
FIGURE 1 . It will be appreciated that not all components of system 200 and network 
appliance 214 are illustrated, and that system 200 and network appliance 214 may 

10 include more or less components than those shown in the figure. 

As illustrated in FIGURE 2, system 200 includes web browser 202, 
LAN/WAN 204, firewall 206, and network appliance 214. 

Web browser 202 may be any application capable of communicating 
over a network, such as LAN/WAN 204, to network appliance 214, and the like. The 

15 set of such applications may include applications that typically connect using a network 
connection. Web browser 202 may include, but not limited to, Internet Explorer™, 
Netscape Browser™, and the like. Web browser 202 may reside in one embodiment of 
client 102 of FIGURE 1, and may communicate with network appliance 214 via 
HTML, a proprietary computer language, and the like. In one embodiment, web 

20 browser 202 may provide a user with an integrated GUI for any available applications 
from network appliance 214. Although web browser 202 illustrates a browser 
application, virtually any windowing application may be employed that enables an 
interaction with a remote application over the network. 

LAN/WAN 204 is substantially the same entity as LAN/WAN 104 as 

25 described in FIGURE 1 above. 

Firewall 206 may be any network device capable of providing 
specialized network services to network appliance 214, such as protection, translation, 
routing, and the like. Firewall 206 may include devices such as hubs, network address 
translators (NATs), routers, gateways, and the like. Firewall 206 may be managed by 

30 network appliance 214, by another network device, self-managed, and the like. 
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Network appliance 214 may be any network device employing a 
plurality of applications and associated management servers. Network appliance 214 
may be constructed in distributed or integrated form, and it may include unified session 
manager 208, management server 210, and component application 212. 
5 Unified session manager 208 may provide a unified interface to users 

such as web browser 202. Unified session manager 208 may interact with a plurality of 
management servers 210 associated with network appliance 214. Unified session 
manager 208 may further manage independent component application 212. 

In one embodiment, unified session manager 208 may authenticate a user 
10 seeking access to an application on network appliance 214 from web browser 202. If the 
sought application is associated with management server 210, unified session manager 
208 may authenticate itself to management server 210, establish a session and perform 
translation between the user and management server 210 to provide a unified interface 
to the user. 

1 5 In another embodiment, unified session manager 208 may provide the 

user direct access to one or more component applications 212, if the application is 
directly managed by unified session manager 208. 

Unified session manager 208, management server 210, and component 
application 212 may be implemented by computer program instructions, special purpose 

20 hardware-based systems, which perform the specified actions or steps, or combinations 
of special purpose hardware and computer instructions, and the like. 

In yet another embodiment, management server 210 may be accessible 
only by unified session manager 208. Access to management server 210 may be 
blocked to external hosts, such as client 1 02 in FIGURE 1 . Firewall software may be 

25 incorporated into network appliance 314 to block requests from external hosts. 

FIGURE 3 illustrates a functional block diagram of another embodiment 
of a network appliance 314 within system 300 in which the present invention may be 
practiced. As in FIGURE 2, network appliance 314 provides one embodiment for 
network device 106 of FIGURE 1. It will be appreciated that not all components of 
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system 300 and network appliance 314 are illustrated, and that system 300 and network 
appliance 314 may include more or less components than those shown in the figure. 

FIGURE 3 includes three representative web browsers (302) compared 
to the single web browser of FIGURE 2. Each of the browsers in web browsers 302 
5 may be substantially identical to web browser 202 of FIGURE 2. Web browsers 302 
may provide a user seeking access to an application on network appliance 314 and 
individual GUI for each application. Each web server 302, GUI components residing in 
web browsers 302, and the like, may communicate with network appliance 314 over 
LAN/WAN 304 using one or more channels. 

10 LAN/WAN 304 is substantially the same as LAN/WAN 204 as 

described in FIGURE 2 above. 

Firewall 306 is also substantially the same as firewall 206 of FIGURE 2 
above. Network appliance 314 is substantially similar to network appliance 214 of 
FIGURE 2. As in FIGURE 2, unified session manager 308 may manage a plurality of 

1 5 component applications 3 1 2 directly and provide access to users. For other component 
applications 312 managed by one or more management servers 310, unified session 
manager 308 may perform actions including authentication to management servers 310, 
translation between the user and management servers 310. Management servers 310 
may manage one or more component applications 312. 

20 Unified session manager 308 may retrieve an authentication token for 

requests from one of web browsers 302, GUI components of web browsers 302, and the 
like, and pass the information to another web browser, GUI components of web 
browsers 302, and the like, via secure communication channel. 

Unified session manager 308, management server 310, and component 

25 application 312 may be implemented by computer program instructions, special purpose 
hardware-based systems, which perform the specified actions or steps, or combinations 
of special purpose hardware and computer instructions, and the like. 

FIGURE 4 illustrates a flow diagram generally showing process 400 for 
managing a network device to provide a unified user interface, according to one 



{S:\8212\0200384-us0\8000261 8.DOC llliilllillllllillllllll }9 



embodiment of the invention. Process 400 may, for example, be implemented in 
network device 106 of FIGURE 1. 

As shown in FIGURE 4, process 400 begins, after a start block, at block 
402, where a unified session manager receives a request for access from a user to an 
5 application on the network device. The unified session manager may or may not reside 
on the network device. Processing then proceeds to block 404. 

At block 404, the unified session manager authenticates the user. 
Authentication may include verification of a login password, verification of a digital 
signature, recognition of the user's MAC address, and the like. Processing then 
10 proceeds to block 406. 

At block 406, the unified session manager establishes a session with the 
user and determines which application the user is trying to access. An application on 
the network device may be directly managed by the unified session manager. Another 
application on the network device may be managed by a separate management server. 
1 5 Process 400 proceeds to decision block 408. 

At block 408 a decision is made whether a separate management server 
is involved with the remainder of process 400 or not. The decision is based, in part, on 
the determination of the unified session manager at block 406. If a management server 
is involved, processing proceeds to block 414. If the requested application is managed 
20 directly by the unified session manager, processing proceeds to block 410. 

At block 410, the unified session manager establishes a session with the 
application directly. Processing then proceeds to block 412. 

At block 412, the unified session manager provides the user access to the 
application by modifying requests and responses between the user and the application. 
25 Upon completion of block 412, process 400 may return to a calling process to perform 
other actions. 

At decision block 408, if a management server is involved, processing 
proceeds to block 414. Block 414 is another decision block, where the unified session 
manager determines if it can establish a session with the management server. 
30 Establishing a session with the management server may include providing the 
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management server a login password independent from the login password used to 
authenticate the user. Establishing a session with the management server may further 
include providing a digital signature, an authentication certificate, and the like. If the 
session with the management server is not established at block 414, processing proceeds 
5 to block 416, where communication is terminated and process 400 may return to a 
calling process to perform other actions. 

If the session with the management server is established at block 414, 
processing proceeds to block 418, where the unified session manager initiates a 
brokering session. Brokering session may be performed to provide the user with a 

10 unified interface independent of the management server. Brokering session may 
include translating GUI messages between the user and the management server to 
conform the messages to a unified format. Brokering session may further include 
modifying network addresses such as URLs between the user and the management 
server, attaching additional information to requests and responses, and the like. Process 

1 5 400 then proceeds to block 420. 

At block 420, the unified session manager establishes a session with the 
requested application through the management server. Upon verification of the session 
with the application and completion of block 420, processing proceeds to block 422. 

At block 422, the unified session manager provides the user access to the 

20 application. The management server's involvement is transparent to the user. Upon 
completion of block 422, process 400 may return to a calling process to perform other 
actions. 

It will be understood that each block of the flowchart illustrations 
discussed above, and combinations of blocks in the flowchart illustrations above, can be 

25 implemented by computer program instructions. These program instructions may be 
provided to a processor to produce a machine, such that the instructions, which execute 
on the processor, create means for implementing the actions specified in the flowchart 
block or blocks. The computer program instructions may be executed by a processor to 
cause a series of operational steps to be performed by the processor to produce a 

30 computer-implemented process such that the instructions, which execute on the 
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processor, provide steps for implementing the actions specified in the flowchart 
block or blocks. 

Although the invention is described in terms of communication between 
a unified session manager and a user, the invention is not so limited. For example, the 
5 communication may be between virtually any resource, including but not limited to 
multiple users, multiple servers, and any other device, without departing from the scope 
of the invention. 

Accordingly, blocks of the flowchart illustrations support combinations 
of means for performing the specified actions, combinations of steps for performing the 
10 specified actions and program instruction means for performing the specified actions. It 
will also be understood that each block of the flowchart illustrations, and combinations 
of blocks in the flowchart illustrations, can be implemented by special purpose 
hardware-based systems, which perform the specified actions or steps, or combinations 
of special purpose hardware and computer instructions. 
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